Fault management in a fuel cell-based system

ABSTRACT

A system includes a fuel cell stack, a power communication path, a first controller and a second controller. The fuel cell stack generates electrical power, and the power communication path is coupled between the fuel cell stack and a load of the system to communicate the electrical power to the load. The power communication path includes a switch, which is operable to selectively couple the fuel cell stack to the load and isolate the fuel cell stack from the load. The first controller has a first response time to control the fuel cell stack and control the power communication path. The second controller has a second response time, which is significantly less than the first response time to monitor the power communication path for a fault condition and take corrective action in response to detecting the fault condition.

This application claims the benefit under 35 U.S.C. §119(e) to U.S.Provisional Application No. 60/806,098, entitled “FUEL CELL POWER UNITPROTECTION,” which was filed on Jun. 28, 2006, and is herebyincorporated by reference in its entirety.

BACKGROUND

The invention generally relates to fault management in a fuel cell-basedsystem.

A fuel cell is an electrochemical device that converts chemical energydirectly into electrical energy. There are many different types of fuelcells, such as a solid oxide fuel cell (SOFC), a molten carbonate fuelcell, a phosphoric acid fuel cell, a methanol fuel cell and a protonexchange membrane (PEM) fuel cell.

As a more specific example, a PEM fuel cell includes a PEM membrane,which permits only protons to pass between an anode and a cathode of thefuel cell. A typical PEM fuel cell may employ polysulfonic-acid-basedionomers and operate in the 50° Celsius (C) to 75° temperature range.Another type of PEM fuel cell may employ a phosphoric-acid-basedpolybenziamidazole (PBI) membrane that operates in the 150° to 200°temperature range.

At the anode of the PEM fuel cell, diatomic hydrogen (a fuel) ionizes toproduce protons that pass through the PEM. The electrons produced bythis reaction travel through circuitry that is external to the fuel cellto form an electrical current. At the cathode, oxygen is reduced andreacts with the protons to form water. The anodic and cathodic reactionsare described by the following equations:H₂→2H⁺+2e ⁻ at the anode of the cell, and  Equation 1O₂+4H⁺+4e ⁻→2H₂O at the cathode of the cell.  Equation 2

A typical fuel cell has a terminal voltage near one volt DC. Forpurposes of producing much larger voltages, several fuel cells may beassembled together to form an arrangement called a fuel cell stack, anarrangement in which the fuel cells are electrically coupled together inseries to form a larger DC voltage (a voltage near 100 volts DC, forexample) and to provide more power.

The fuel cell stack may include flow plates (graphite composite or metalplates, as examples) that are stacked one on top of the other, and eachplate may be associated with more than one fuel cell of the stack. Theplates may include various surface flow channels and orifices to, asexamples, route the reactants and products through the fuel cell stack.Several PEMs (each one being associated with a particular fuel cell) maybe dispersed throughout the stack between the anodes and cathodes of thedifferent fuel cells. Catalyzed electrically conductive gas diffusionlayers (GDLs) may be located on each side of each PEM to form the anodeand cathodes of each fuel cell. In this manner, reactant gases from eachside of the PEM may leave the flow channels and diffuse through the GDLsto reach the PEM.

SUMMARY

In an embodiment of the invention, a system includes a fuel cell stack,a power communication path, a first controller and a second controller.The fuel cell stack generates electrical power, and the powercommunication path is coupled between the fuel cell stack and a load ofthe system to communicate the electrical power to the load. The powercommunication path includes a switch, which is operable to selectivelycouple the fuel cell stack to the load and isolate the fuel cell stackfrom the load. The first controller has a first response time to controlthe fuel cell stack and control the power communication path. The secondcontroller has a second response time, which is significantly less thanthe first response time to monitor the power communication path for afault condition and take corrective action in response to detecting thefault condition.

In another embodiment of the invention, a technique includes providing apower communication path to communicate electrical power from a fuelcell stack to a load. The power communication path includes a switch,which is operable to selectively couple the fuel cell stack to the loadand isolate the fuel cell stack from the load. The technique includesproviding a first controller that has a first response to control thefuel cell stack and control the power communication path. The techniquealso includes providing a second controller that has a second responsetime that is significantly less than the first response time to monitorthe power communication for a fault condition and take corrective actionin response to detecting the fault condition.

Advantages and other features of the invention will become apparent fromthe following drawing, description and claims.

BRIEF DESCRIPTION OF THE DRAWING

FIG. 1 is a schematic diagram of a system according to an embodiment ofthe invention.

FIG. 2 is a schematic diagram of a switch of a power communication pathof the system of FIG. 1 according to embodiments of the invention.

FIGS. 3A, 3B, 4A and 4B are schematic diagrams depicting circuitry of apower stage controller of the system of FIG. 1 according to anembodiment of the invention.

FIG. 5 is a schematic diagram of the system controller of FIG. 1according to an embodiment of the invention.

DETAILED DESCRIPTION

Dealing with possible system faults in a fuel cell power systemtypically presents challenges related to identifying critical systemfaults and managing the protection safety of the fuel cell power system.Based on system normal functionality, a comprehensive fault managementevaluation analysis (FMEA) identifies the most probable failure modes ina single component fail scenario. There are also cases where a singlefault may not be a problem by itself but may drive to some other unknownfaults depending on the system state. These other faults may not becaptured in the initial component level FMEA and may be even overlookedby designers. Basic system functions are also considered and limitconditions are set in place to prevent major system damage, which iscreated in a single component fault scenario. Multiple protections areusually used in a fuel cell power system. These protections may includeshutting down the fuel cell system based on over and under temperatures(battery temperature, stack temperature, etc.); over and under voltages;over current; minimum or maximum pressures (anode pressure, forexample); minimum or maximum flows; and hydrogen status, as just a fewexamples.

Referring to FIG. 1, an embodiment 10 of a fuel cell-based system inaccordance with the invention includes a fuel cell module 12 thatproduces electrical power, which is consumed by an external load 100. Inthis regard, the fuel cell module 12 may include a fuel cell stack,which promotes electrochemical reactions in response to fuel and oxidantflows through the stack. The electrical power that is produced by thefuel cell module 12 is routed through a power communication path, whichincludes a power communication control switch 20 and a switch mode powerstage 24.

The switch mode power stage 24, in accordance with embodiments of theinvention, is a switching regulator that converts the power that isgenerated by the fuel cell module 12 into the appropriate DC or AC level(depending on the load 100) for the load 100. During normal operation ofthe system 10, the switch 20 is closed to establish electricalcommunication between output terminals 16 of the fuel cell module 12 andinput terminals 17 of the switch mode power stage 24. Thus, during thenormal mode of operation, the switch mode power stage 24 converts itsinput voltage to the appropriate voltage level, which appears on itsoutput terminals 27 that are electrically coupled to the load 100.Should a fault condition, however, be detected in the system 10, thesystem 10 opens the switch 20 to decouple, or isolate, the fuel cellmodule 12 from the switch mode power stage 24.

For purposes of rapidly detecting faults and quickly responding todetected faults, the control subsystem for the system 10 is divided intothree controllers: a relatively slow software-based system controller60; and relatively faster, hardware-based controllers 30 and 80. Due totheir faster response times, the controllers 30 and 80 have the abilityto quickly detect faults and take corrective actions in response to suchdetections. In some embodiments of the invention, the controllers 30 and80 may have a response time on the order of one millisecond (ms), whichis significantly less than a one hundred millisecond response time (as acomparative example) of the system controller 60. Thus, the softwareused connection with the controller 60 permits a relatively flexibledesign in order to handle slowly acting fault detection and corrections.Although the fault protections that are gained by the controllers 30 and80 are not as flexible, the controllers 30 and 80 provide significantlyfaster protection due to their grounding in hardware.

In accordance with some embodiments of the invention, the controller 30controls operations of the switch mode power stage 24, controls theopen/closed state of the switch 20 and detects fault conditions, whichmay arise in the power communication path between the fuel cell module12 and the load 100, such as fault conditions in the switch mode stage24 and/or the switch 20. Upon detecting a fault, the controller 30 opensthe switch 20.

As a more specific example, in accordance with some embodiments of theinvention, the switch mode power stage 24 is a switching regulator,which receives (via communication lines 38) pulse width modulation (PWM)signals for purposes of controlling the switching transistors of theswitch mode power stage 24. In this regard, the switch mode power stage24 furnishes such parameters as the input voltage, output voltage, inputcurrent, output current and temperature of the switch mode power stage24 to the controller 30 via communication lines 34. Based on at leastsome of these parameters, the controller 30 makes adjustments in theduty cycle of the PWM signals for purposes of regulating the switch modepower stage's input current. This information also allows the controller30 to detect the occurrence of a possible fault. If a fault is detected,the controller 30 (via a communication line 42) disables the switch 20to therefore open the switch and isolate the fuel cell module 12 fromthe switch mode power stage 24. The controller 30 also receives (viacommunication lines 46) signals from the switch 20, which the controller30 uses to monitor the health of the switch 20 and determine whether afault has occurred with the switch 20.

In accordance with some embodiments of the invention, the system 10 andload 100 may be portable, or mobile, and more particularly may be (as anexample) part of a motor vehicle 5 (a car, truck, airplane, etc.). Thus,the system 10 may serve as at least part of the power plant (representedby the load 100) of the vehicle. In other embodiments of the invention,the system 10 and load 100 may be part of a stationary system. Forexample, the fuel cell system 10 may supply all or part of the powerneeds of a house, electrical substation, backup power system, etc.Additionally, the system 10 may supply thermal energy to a thermalenergy consuming load (water heater, water tank, heat exchanger, etc.),and thus, electrical as well as thermal loads to the system areenvisioned. Therefore, many different applications of the system andloads that consume energy from the system are contemplated and arewithin the scope of the appended claims.

Turning now to the more specific details, FIG. 2 depicts a schematicdiagram of the switch 20 in accordance with some embodiments of theinvention. The switch 20 includes a switching element 140, which may beformed by, for example, the switching contacts of a relay that includesa coil 134. The coil 134 is energized to close the switching element 140(to therefore close the switch 20) when a signal called “RELAY ENABLE”is asserted (a logic one state, for example). The RELAY ENABLE signal iscommunicated over a relay enable line 124, which extends to variousprotection circuits (described below) that may de-assert (drive low, forexample) the RELAY ENABLE signal should one of the fault productioncircuits detect a fault condition. If the RELAY ENABLE signal isasserted, then a metal-oxide-semiconductor field-effect-transistor(MOSFET) 130 is activated. This energizes the coil 134. When the RELAYENABLE signal is de-asserted, the MOSFET 130 is turned off, whichde-energizes the coil 134 to open the switching element 140 and thus,open the switch 20.

The switching element 140 is electrically coupled between the outputterminal 16 of the fuel cell module 12 and the input terminal 17 of theswitch mode power stage 24. As depicted in FIG. 2, the output terminal16 communicates a voltage called “FC+,” and the input terminal 17communicates a signal called “DC/DC+.” In accordance with someembodiments of the invention, the switch 20 couples the fuel cell module12 to the switch mode power stage 24 before the fuel cell module 12 hasramped up to normal operation. This allows the input capacitors of theswitch mode power stage 24 to charge up at the same time with the fuelcell stack voltage, thereby eliminating the need for special inrushcircuitry. However, certain measures are in place to ensure that theswitch 20 is not closed should certain conditions arise.

For example, in accordance with some embodiments of the invention, theswitch 20 includes circuitry that maintains the switching element 140open if the DC/DC+ voltage is higher than the fuel cell voltage FC+.More specifically, the circuitry may include, for example, an opticalisolation device 120, which is electrically coupled between theterminals 17 and 16. The device 120 is coupled to the line 124, whichcommunicates the RELAY ENABLE signal. If the DC/DC+ voltage is higherthan the FC+voltage, then the optical isolation device 120 is energized,which causes the de-assertion of the RELAY ENABLE signal, therebyplacing/maintaining the switching element 140 in an open state. If,however, the DC/DC+ voltage is lower than the FC+voltage, then theoptical isolation device 120 is not energized, to thereby allow theRELAY ENABLE signal to remain asserted, assuming no other circuitde-asserts this signal.

Among the other features, in accordance with some embodiments of theinvention, the switch 20 may include a current sensor 144, which iscoupled between the terminal 16 and the switch element 140 for purposesof sensing an input current (called “INPUT CURRENT RAW”), which iscommunicated on a communication line 146 and may be further processed bythe controller 30.

FIGS. 3A and 3B depict a portion 30A of the controller 30 in accordancewith some embodiments of the invention. The relay enable line 124 iskept normally asserted (i.e., the RELAY ENABLE signal is normallyasserted) by a resistor 160 that electrically couples the line 124 to apositive supply voltage. In accordance with some embodiments of theinvention, the controller 30 also includes a latch 164 to latch aparticular state of the RELAY ENABLE signal until changed by othercircuitry that is coupled to the line 124. As depicted in FIGS. 3A and3B, the controller 30 includes various comparators circuits that areconnected to the relay enable line 124 and are each configured tode-assert the RELAY ENABLE signal should a fault condition be detectedfor purposes of opening the switch 20.

As a more specific example, in accordance with embodiments of theinvention, the controller 30 includes comparator circuitry 174, whichreceives the output voltage (called V_(OUT)) of the switch mode powerstage 24 for purposes of detecting whether the V_(OUT) voltage hasexceeded a minimum or maximum voltage threshold. In other words, thecomparator circuitry 174 determines whether the V_(OUT) voltage has gonebeyond its operating boundaries. Therefore, if the V_(OUT) voltage iseither above a maximum voltage threshold or below a minimum voltagethreshold, the comparator circuitry 174 de-asserts the RELAY ENABLEsignal.

The controller 30 also includes a comparator circuit 170, whichde-asserts the relay enable line 124 upon detecting a reverse currentscenario, in which current is flowing in a reverse direction from theswitch mode power stage 24 to the fuel cell module 12.

As another example, the controller 30 may include comparator circuitry178 for purposes of monitoring the temperature of the switch mode powerstage 24. In this regard, the comparator circuitry 178 receives a signalcalled “THERMISTOR SENSE,” which indicates the temperature of the switchmode power stage 24. When the THERMISTOR SENSE signal exceeds apredefined threshold, the comparator circuitry 178 de-asserts the relayenable line 124.

The controller 30 may include additional circuitry for purposes ofprocessing signals received from the switch mode power stage 24 toconvert these signals into the appropriate form for either the otherportion 30B (see FIGS. 4A-4B) of the controller 30 or for the systemcontroller 60 (see FIG. 1). For example, in accordance with someembodiments of the invention, the controller 30 includes an amplifier190, which receives the OUTPUT CURRENT RAW signal from the currentsensor 191 and filters and amplifies the signal to produce a signalcalled “OUTPUT CURRENT READBACK,” which is furnished to the systemcontroller 60.

In accordance with some embodiments of the invention, the controller 30may include a circuit 198 which produces a signal called “CURRENTLIMIT,” which indicates (when asserted) that current limiting is to beimposed. In this regard, assertion of the CURRENT LIMIT signal limitsthe current from the fuel cell module 12 after the fuel cell stackvoltage falls under a safe threshold. Assertion of the CURRENT LIMITsignal effectively brings the fuel cell stack current down close to zeroamps and prevents cell reversal at the same time.

Among the other features that are depicted in FIGS. 3A and 3B, thecontroller 30 may include circuitry 180, which includes a MOSFET 184 togenerate a signal called “RUN” that indicates the status of the RELAYENABLE signal. In this regard, a PWM controller 220 (see FIGS. 4A-4B) ofthe controller 30 is enabled when the RUN signal is asserted anddisabled otherwise. Due to this feature, when the switch 20 is open, thecontroller 30 ceases controlling operation of the switch mode powerstage 24.

FIGS. 4A-4B generally depict another part 30B of the controller 30 inaccordance with some embodiments of the invention. As shown in FIGS.3A-3B, the controller 30 may include the PWM controller 220, whichgenerates PWM signals called “GATE_DRIVE 1 and GATE_DRIVE 2,” which areprovided to the switch mode power stage 24. The duty cycles of theGATE_DRIVE 1 and GATE_DRIVE 2 signals are controlled in response tofeedback from current sensor 144 and CURRENT_COMMAND+ andCURRENT_COMMAND− signals, which are received from the system controller60. In this regard, the controller 30 includes an amplifier 242, whichamplifies a difference between the CURRENT_COMMAND− and theCURRENT_COMMAND+ signals to provide a corresponding control signal to aninput line 240 to the PWM controller 220. The drain-source path of aMOSFET 244 is also connected to the line 240 for purposes of limitingthe current of the power stage 24 when the CURRENT LIMIT signal isasserted. The controller 30 also includes, in accordance with someembodiments of the invention, an amplifier 230 that receives the INPUTCURRENT RAW signal and produces an input current read back signal thatis communicated to the controller 60.

Referring back to FIG. 1, similar to the switch mode power stagecontroller 30, the fuel cell module controller 80 also has a relativelyfast response time for purposes of detecting faults in the fuel cellmodule 12, shutting down valves and other safety related controls of thefuel cell module 12 and possibly opening the switch 20 in the case of adetected fault. In general, the fuel cell module controller 80 receives(via communication lines 50) indications of pressure, temperature,hydrogen safety and supply voltages from the fuel cell module 12. Basedon these parameters, the fuel cell module controller 80 determineswhether a fault has occurred and controls the appropriate valves andother safety related controls via communication lines 54. The fuel cellmodule controller 80 may also provide various parameters to the systemcontroller 60 (via communication lines 58), such as fuel cell status,temperature, average voltages, minimum and maximum cell voltages andother operational parameters. As depicted in FIG. 1, the systemcontroller 60 has the capability of selectively enabling and disablingthe controllers 30 and 80 via communication lines 81 and 31,respectively.

As also depicted in FIG. 1, the system application controller 60receives various parameters directly from the fuel cell module 12 andthe switch mode power stage 24. For example, the fuel cell module 12communicates (via communication lines 59) voltage, pressure and flowinformation to the system controller 60. The switch mode power stage 24may communicate, as examples, the output voltage of the stage 24, theoutput current of the stage 24 and its temperature via communicationlines 76.

Referring to FIG. 5, in accordance with some embodiments of theinvention, the controller 60 is primarily implemented in software andincludes a processor 320, which executes instructions that are stored ina memory 300. It is noted that the processor 320 may include one or moremicroprocessors and/or microcontrollers, depending on the particularembodiments of the invention. Furthermore, the memory 300 may representan internal memory, contiguous memory, external memory, etc., dependingon the particular embodiment of the invention. In general, the memory300 stores instructions 308, which the processor 320 executes during thenormal operation of the system 10. Thus, the processor 320, whenexecuting instructions 308, generally regulates the stack current,cathode blower, reformer, etc., for purposes of regulating the overalloperation of the system 10.

The memory 300 also includes health monitoring instructions 304, whichthe processor 320 executes for purposes of monitoring the system 10 forvarious faults. It is noted that these faults are associated with moreslowly varying variables than the variables monitored by the controllers80 and 30. The slowly-varying variables may include, for example,variables that indicate an input current demand and input current readback mismatch, and variables that are related to stack temperature,pressure, average voltages and other slow variables. In accordance withsome embodiments of the invention, the health monitoring functionperformed by the controller 60 categorizes the system to be in one ofthree states: normal, re-startable and terminal. In terms of shut downmodes, the health monitoring routine causes the processor 320 to formone of three shut downs: soft shutdown, hard shut down and faultshutdown. Soft shutdown is a controlled shutdown. For example, in acontrolled shutdown scenario, the fuel cell module 12 properlydischarges the fuel cells first. The hard shutdown is a shutdown thatresponds quickly to fault conditions. For a hard shutdown, the fuel cellmodule 12 is immediately commanded to turn off the blower and set thefuel cell current to zero and opens the switch 20. The fault shutdown isthe fastest response of all shut downs and it is only used in a fatalerror, such as when the unit is tipped over.

Warning may also be defined, which gives the operator an indication of asystem malfunction and allow operator to fix the malfunction duringmaintenance. For example, if the output current sensor 191 of thecontroller 30 is disconnected then the operator is given an opportunityto reconnect the sensor 191.

While the invention has been disclosed with respect to a limited numberof embodiments, those skilled in the art, having the benefit of thisdisclosure, will appreciate numerous modifications and variationstherefrom. It is intended that the appended claims cover all suchmodifications and variations as fall within the true spirit and scope ofthe invention.

What is claimed is:
 1. A system, comprising: a fuel cell stack togenerate electrical power; a power communication path coupled betweenthe fuel cell stack and a load of the system to communicate theelectrical power to the load, the power communication path comprising aswitch operable to selectively couple the fuel cell stack to the loadand isolate the fuel cell stack from the load; a first controller havinga first response time to control the fuel cell stack and control thepower communication path; and a second controller having a secondresponse time less than the first response time to monitor the powercommunication path for a fault condition occurring in the powercommunication path and take corrective action in response to detectingthe fault condition.
 2. The system of claim 1, wherein the secondcontroller is adapted to open the switch to halt the communication ofelectrical power through the power communication path in response todetecting the fault condition.
 3. The system of claim 1, wherein thesecond response time is approximately one hundredth of the firstresponse time.
 4. The system of claim 1, wherein the first controllerprimarily comprises a processor to execute software instructions tocontrol the fuel cell stack and the power communication path and thesecond controller primarily comprises hardware that does not executeinstructions to monitor the power communication path for a faultcondition and take corrective action in response to detecting the faultcondition.
 5. The system of claim 4, wherein the power conditioningcircuitry comprises a power stage of a switching regulator.
 6. Thesystem of claim 1, wherein the power communication path comprises powerconditioning circuitry and the second controller monitors the powerconditioning circuitry for a fault condition.
 7. The system of claim 1,wherein the second controller is selectively enabled by the firstcontroller.
 8. The system of claim 1, wherein the second controller isadapted to monitor for a fault condition selected from the following: anoutput voltage of the power communication path being outside of apredetermined voltage range; a current in the power communication pathflowing in a reverse direction in the power communication path; and atemperature in the power communication path exceeding a predeterminedtemperature threshold.
 9. The system of claim 1, wherein the switch isadapted to prevent closure of the switch in detecting a voltage of thefuel cell being lower than an input voltage of the power communicationpath.
 10. The system of claim 1, further comprising: a least oneadditional controller to monitor a subsystem to the fuel cell system todetect a fault condition and take corrective action in response to thedetection of the fault condition, said at least one additionalcontroller having a response time that is significantly less than thefirst response time of the first controller.
 11. The system of claim 10,wherein the said at least one additional controller is adapted to beselectively enabled and disabled by the first controller.
 12. The systemof claim 10, wherein the subsystem comprises the fuel cell stack. 13.The system of claim 1, wherein the first controller is adapted to detecta fault condition occurring in the fuel cell system and take correctiveaction in response to the detection of the fault condition.
 14. Thesystem of claim 1, wherein the fuel cell stack, the power communicationpath, the first controller and the second controller are part of a motorvehicle.
 15. A method, comprising: providing a power communication pathto communicate electrical power from a fuel cell stack to a load, thepower communication path comprising a switch operable to selectivelycouple the fuel cell stack to the load and isolate the fuel cell stackfrom the load; providing a first controller having a first response timeto control the fuel cell stack and control the power communication path;and providing a second controller having a second response time lessthan the first response time to monitor the power communication path fora fault condition in the power communication path and take correctiveaction in response to detecting the fault condition.
 16. The method ofclaim 15, further comprising: opening the switch to halt thecommunication of electrical power through the power communication pathin response to the second controller detecting the fault condition. 17.The method of claim 15, wherein the second response time isapproximately one hundredth of the first response time.
 18. The methodof claim 15, wherein the first controller primarily comprises aprocessor to execute software instructions to control the fuel cellstack and the power communication path and the second controllerprimarily comprises hardware that does not execute instructions tomonitor the power communication path for a fault condition and takecorrective action in response to detecting the fault condition.
 19. Themethod of claim 15, further comprising: using the first controller toselectively enable the second controller.
 20. The method of claim 15,wherein the fault condition comprises one of the following: an outputvoltage of the power communication path being outside of a predeterminedvoltage range; a current in the power communication path flowing in areverse direction in the power communication path; and a temperature inthe power communication path exceeding a predetermined temperaturethreshold.
 21. The method of claim 15, further comprising: providing atleast one additional controller to monitor a subsystem to the fuel cellsystem to detect a fault condition and take corrective action inresponse to the detection of the fault condition, said at least oneadditional controller having a response time that is significantly lessthan the first response time of the first controller.
 22. The method ofclaim 21, further comprising: using the first controller to selectivelyenable and disable the second controller.